Thousands of Superdrug customers hit in data breach

Cybercriminals claim to have stolen the personal details of 20,000 Superdrug customers.

Shares

The UK-based health and beauty retailer, Superdrug has warned online customers to change their passwords after cybercriminals claimed to have obtained the personal details of 20,000 customers.

While the group has said they obtained the personal details of 20,000 of the retailer's customers, so far Superdrug has only see evidence that 386 customers have been affected.

The cybercriminals were able to obtain the names, addresses and in some cases the date of birth and phone numbers of some customers. Fortunately, no payment details were accessed.

Superdrug says that there is no evidence that its systems had been compromised. Instead the retailer believes that the cybercriminals got customers' email addresses and passwords from other sites and then used them on Superdrug's site.

The group behind the attack has tried to extort a ransom from Superdrug though the retailer did not reveal how much the hackers asked for.

Superdrug has directly notified its customers via email in regard to the data breach. The retailer has also informed the police as well as the UK's national fraud and cybercrime division, Action fraud.

If the group actually managed to steal the details of 20,000 customers, Superdrug will have a lot more explaining to do if it wants to win back customer trust which is essential for any business following a data breach of this size.

“Yet another cyber-attack that hurts online customers should serve as a wake-up call not only to Superdrug’s IT security operations teams, but to the wider industry and consumers," said John “Lex” Robinson, anti-phishing strategist, Cofense.

"While Superdrug will no doubt begin their breach remediation process, which may include an internal enquiry to establish how this breach occurred, the organization should be aware that any leaked company details could be used to generate targeted phishing campaigns against its clients, staff and executive suite by malicious actors looking to take a second bite of the apple."

"Vigilance is key; asking customers to rotate their credentials and passwords won’t be enough to prevent it as the attacks are getting more sophisticated."